MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b61b4c9c6e48be5b208893c5cfe8ca6ab68eae6935038a177d495902fc4572e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b61b4c9c6e48be5b208893c5cfe8ca6ab68eae6935038a177d495902fc4572e9
SHA3-384 hash: 91d8bf38f046f809e3b275c2c3a115ffb69db62712e6e069bbf7090d4bc58b627409f7a0040837aff24abeee72aaad71
SHA1 hash: da5f56dbf05eda4a2850f7a7da70adf6704598c6
MD5 hash: befcf381f4d65a1b3d112ce3efb4c4fa
humanhash: sad-lima-glucose-fourteen
File name:app.jar
Download: download sample
File size:29'642'392 bytes
First seen:2025-09-13 19:18:47 UTC
Last seen:Never
File type:Java file jar
MIME type:application/zip
ssdeep 786432:LDNcvQGN5q+feL1rC8Mk4CrpPXjstm97IDEz9:LDNc4Y55eLVC8MkDtPXWu7I4z9
TLSH T175570219D25F403ACA57D67928EF4BE6FF30829F8221571F23F439198CD2B890B62759
TrID 55.0% (.SPE) SPSS Extension (30000/1/7)
24.7% (.JAR) Java Archive (13500/1/2)
12.8% (.MAFF) Mozilla Archive Format (gen) (7000/1/1)
7.3% (.ZIP) ZIP compressed archive (4000/1)
Magika jar
Reporter burger
Tags:jar payload

Intelligence

File Origin
# of uploads :
1
# of downloads :
39
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
app.jar
Verdict:
Malicious activity
Analysis date:
2025-09-13 19:14:43 UTC
Tags:
arch-doc discord java stealer generic
Link:
https://app.any.run/tasks/47b70a8a-f63b-488f-b3bb-b2f73273a496

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27352/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c5c2a3d49ea3f1e4b53b12
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug anti-vm lolbin macros-on-close obfuscated runonce
Link:
https://www.filescan.io/uploads/68c5c3d9dbc6f5a29c438ed8/reports/406b32f9-57c3-4ca6-9fbe-a7214095eb07/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/b61b4c9c6e48be5b208893c5cfe8ca6ab68eae6935038a177d495902fc4572e9
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/b61b4c9c6e48be5b208893c5cfe8ca6ab68eae6935038a177d495902fc4572e9
Verdict:
Malicious
File Type:
jar
First seen:
2025-09-14T08:56:00Z UTC
Last seen:
2025-09-14T08:56:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.Win32.Greedy.sb
Link:
https://opentip.kaspersky.com/b61b4c9c6e48be5b208893c5cfe8ca6ab68eae6935038a177d495902fc4572e9/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.expl
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1777082
Signature
Attempt to bypass Chrome Application-Bound Encryption
Exploit detected, runtime environment dropped PE file
Exploit detected, runtime environment starts unknown processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Sigma detected: Potential Data Stealing Via Chromium Headless Debugging
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1777082 Sample: app.jar Startdate: 13/09/2025 Architecture: WINDOWS Score: 84 56 upload.gofile.io 2->56 58 raw.githubusercontent.com 2->58 60 2 other IPs or domains 2->60 78 Suricata IDS alerts for network traffic 2->78 80 Multi AV Scanner detection for dropped file 2->80 82 Attempt to bypass Chrome Application-Bound Encryption 2->82 84 4 other signatures 2->84 9 cmd.exe 2 2->9         started        11 msedge.exe 2->11         started        signatures3 process4 dnsIp5 15 java.exe 52 9->15         started        20 conhost.exe 9->20         started        62 239.255.255.250 unknown Reserved 11->62 52 C:\Users\user\AppData\Local\...\Login Data, SQLite 11->52 dropped 54 C:\Users\user\AppData\Local\...\History, SQLite 11->54 dropped 22 msedge.exe 11->22         started        file6 process7 dnsIp8 64 upload.gofile.io 94.139.32.15, 443, 49750 ENIX-ASFR Belgium 15->64 66 github.com 140.82.116.3, 443, 49748 GITHUBUS United States 15->66 72 3 other IPs or domains 15->72 46 C:\Users\user\AppData\Local\micro.exe, PE32+ 15->46 dropped 48 sqlite-3.49.1.0-08...acce-sqlitejdbc.dll, PE32 15->48 dropped 50 C:\Users\user\...\jna9061546626353444099.dll, PE32 15->50 dropped 76 Tries to harvest and steal browser information (history, passwords, etc) 15->76 24 taskkill.exe 1 15->24         started        26 taskkill.exe 1 15->26         started        28 taskkill.exe 1 15->28         started        30 22 other processes 15->30 68 s-part-0041.t-0009.t-msedge.net 13.107.246.69, 443, 49731 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->68 70 ax-0001.ax-msedge.net 150.171.27.10, 443, 49732 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->70 74 20 other IPs or domains 22->74 file9 signatures10 process11 process12 32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 28->36         started        38 conhost.exe 30->38         started        40 conhost.exe 30->40         started        42 conhost.exe 30->42         started        44 19 other processes 30->44
Gathering data
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/b61b4c9c6e48be5b208893c5cfe8ca6ab68eae6935038a177d495902fc4572e9
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wynuzhdojc7fwieispc472gknk3i5ltjgubyuf35jfmqf7cfoluq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution pyinstaller spyware stealer
Link:
https://tria.ge/reports/250913-x11lgsfr9s/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Detects Pyinstaller
Enumerates processes with tasklist
Legitimate hosting services abused for malware hosting/C2
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 3eb1c65a9f04f1ff1a89fb333e3ecc6138f5a1556712e540ac31cf0a468290c4

Java file jar b61b4c9c6e48be5b208893c5cfe8ca6ab68eae6935038a177d495902fc4572e9

(this sample)

  
Dropped by
SHA256 3eb1c65a9f04f1ff1a89fb333e3ecc6138f5a1556712e540ac31cf0a468290c4
  
URLhaus
https://urlhaus.abuse.ch/url/3623416/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3623389/
  
Dropped by
MD5 89b25be7573fe8bbe529ca979c3aab16
Cape
Cape
https://www.capesandbox.com/analysis/27352/

Comments